remove more stuff from ntdll

2018-06-13 21:52:45 -04:00 · 2018-06-13 21:52:45 -04:00 · d89cc56d6f
commit d89cc56d6f
parent c393d29115
7 changed files with 42 additions and 60 deletions
--- a/vnr/ntinspect/ntinspect.cc
+++ b/vnr/ntinspect/ntinspect.cc
@ -76,7 +76,7 @@ BOOL getModuleMemoryRange(LPCWSTR moduleName, DWORD *lowerBound, DWORD *upperBou
        do {
          DWORD len;
          // Nt function is needed instead of VirtualQuery, which only works for the current process
-          ::NtQueryVirtualMemory(NtCurrentProcess(), (LPVOID)upper, MemoryBasicInformation, &mbi, sizeof(mbi), &len);
+          ::NtQueryVirtualMemory(GetCurrentProcess(), (LPVOID)upper, MemoryBasicInformation, &mbi, sizeof(mbi), &len);
          if (mbi.Protect & PAGE_NOACCESS) {
            it->SizeOfImage = size;
            break;
--- a/vnr/vnrhook/src/engine/engine.cc
+++ b/vnr/vnrhook/src/engine/engine.cc
@ -5932,7 +5932,7 @@ bool InsertWaffleDynamicHook(LPVOID addr, DWORD frame, DWORD stack)
 //    str = *(DWORD*)stack;
 //    if ((str >> 16) != (stack >> 16))
 //    {
-//      status = NtQueryVirtualMemory(NtCurrentProcess(),(PVOID)str,MemoryBasicInformation,&info,sizeof(info),0);
+//      status = NtQueryVirtualMemory(GetCurrentProcess(),(PVOID)str,MemoryBasicInformation,&info,sizeof(info),0);
 //      if (!NT_SUCCESS(status) || info.Protect & PAGE_NOACCESS) continue; //Accessible
 //    }
 //    if (*(WORD*)(str + 4) == ch) break;
@ -8188,7 +8188,7 @@ bool IsPensilSetup()
  IO_STATUS_BLOCK ios;
  LPVOID buffer = nullptr;
  NtQueryInformationFile(hFile, &ios, &info, sizeof(info), FileStandardInformation);
-  NtAllocateVirtualMemory(NtCurrentProcess(), &buffer, 0,
+  NtAllocateVirtualMemory(GetCurrentProcess(), &buffer, 0,
      &info.AllocationSize.LowPart, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
  NtReadFile(hFile, 0,0,0, &ios, buffer, info.EndOfFile.LowPart, 0, 0);
  CloseHandle(hFile);
@ -8199,7 +8199,7 @@ bool IsPensilSetup()
  b[len] = 0;
  b[len + 1] = 0;
  bool ret = wcsstr((LPWSTR)buffer, L"PENSIL") || wcsstr((LPWSTR)buffer, L"Pensil");
-  NtFreeVirtualMemory(NtCurrentProcess(), &buffer, &info.AllocationSize.LowPart, MEM_RELEASE);
+  NtFreeVirtualMemory(GetCurrentProcess(), &buffer, &info.AllocationSize.LowPart, MEM_RELEASE);
  return ret;
 }
 #endif // if 0
@ -8853,23 +8853,23 @@ MEMORY_WORKING_SET_LIST *GetWorkingSet()
  NTSTATUS status;
  LPVOID buffer = 0;
  len = 0x4000;
-  status = NtAllocateVirtualMemory(NtCurrentProcess(), &buffer, 0, &len, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
+  status = NtAllocateVirtualMemory(GetCurrentProcess(), &buffer, 0, &len, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
  if (!NT_SUCCESS(status)) return 0;
-  status = NtQueryVirtualMemory(NtCurrentProcess(), 0, MemoryWorkingSetList, buffer, len, &retl);
+  status = NtQueryVirtualMemory(GetCurrentProcess(), 0, MemoryWorkingSetList, buffer, len, &retl);
  if (status == STATUS_INFO_LENGTH_MISMATCH) {
    len = *(DWORD*)buffer;
    len = ((len << 2) & 0xfffff000) + 0x4000;
    retl = 0;
-    NtFreeVirtualMemory(NtCurrentProcess(), &buffer, &retl, MEM_RELEASE);
+    NtFreeVirtualMemory(GetCurrentProcess(), &buffer, &retl, MEM_RELEASE);
    buffer = 0;
-    status = NtAllocateVirtualMemory(NtCurrentProcess(), &buffer, 0, &len, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
+    status = NtAllocateVirtualMemory(GetCurrentProcess(), &buffer, 0, &len, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
    if (!NT_SUCCESS(status)) return 0;
-    status = NtQueryVirtualMemory(NtCurrentProcess(), 0, MemoryWorkingSetList, buffer, len, &retl);
+    status = NtQueryVirtualMemory(GetCurrentProcess(), 0, MemoryWorkingSetList, buffer, len, &retl);
    if (!NT_SUCCESS(status)) return 0;
    return (MEMORY_WORKING_SET_LIST*)buffer;
  } else {
    retl = 0;
-    NtFreeVirtualMemory(NtCurrentProcess(), &buffer, &retl, MEM_RELEASE);
+    NtFreeVirtualMemory(GetCurrentProcess(), &buffer, &retl, MEM_RELEASE);
    return 0;
  }

@ -8920,7 +8920,7 @@ BOOL FindCharacteristInstruction(MEMORY_WORKING_SET_LIST *list)
    else {
      if (size > 0x2000) {
        addr = base & ~0xfff;
-        status = NtQueryVirtualMemory(NtCurrentProcess(),(PVOID)addr,
+        status = NtQueryVirtualMemory(GetCurrentProcess(),(PVOID)addr,
            MemorySectionName,text_buffer_prev,0x1000,&retl);
        if (!NT_SUCCESS(status)) {
          k = addr + size - 4;
@ -8962,7 +8962,7 @@ bool InsertAB2TryHook()
    ConsoleOutput("vnreng:AB2Try: cannot find characteristic sequence");
  //L"Make sure you have start the game and have seen some text on the screen.");
  DWORD size = 0;
-  NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&list, &size, MEM_RELEASE);
+  NtFreeVirtualMemory(GetCurrentProcess(), (PVOID *)&list, &size, MEM_RELEASE);
  return ret;
 }

--- a/vnr/vnrhook/src/engine/match.cc
+++ b/vnr/vnrhook/src/engine/match.cc
@ -885,7 +885,7 @@ bool DetermineEngineType()
 //

 HANDLE hijackThread;
-void hijackThreadProc(LPVOID unused)
+DWORD WINAPI hijackThreadProc(LPVOID unused)
 {
  //CC_UNUSED(lpThreadParameter);

@ -901,6 +901,7 @@ void hijackThreadProc(LPVOID unused)

  FillRange(process_name_, &module_base_, &module_limit_);
  DetermineEngineType();
+  return 0;
 }

 }} // namespace Engine unnamed
@ -914,7 +915,7 @@ void Engine::hijack()
 {
  if (!hijackThread) {
    ConsoleOutput("vnreng: hijack process");
-    hijackThread = IthCreateThread(hijackThreadProc, 0);
+    hijackThread = CreateRemoteThread(GetCurrentProcess(), nullptr, 0, hijackThreadProc, 0, 0, nullptr);
  }
 }

--- a/vnr/vnrhook/src/hijack/texthook.cc
+++ b/vnr/vnrhook/src/hijack/texthook.cc
@ -584,7 +584,7 @@ int TextHook::UnsafeInsertHookCode()

  // Verify hp.address.
  MEMORY_BASIC_INFORMATION info = {};
-  NtQueryVirtualMemory(NtCurrentProcess(), (LPVOID)hp.address, MemoryBasicInformation, &info, sizeof(info), nullptr);
+  NtQueryVirtualMemory(GetCurrentProcess(), (LPVOID)hp.address, MemoryBasicInformation, &info, sizeof(info), nullptr);
  if (info.Type & PAGE_NOACCESS) {
    ConsoleOutput("vnrcli:UnsafeInsertHookCode: FAILED: page no access");
    return no;
@ -661,13 +661,13 @@ int TextHook::UnsafeInsertHookCode()
  // See: http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/Memory%20Management/Virtual%20Memory/NtProtectVirtualMemory.html
  // See: http://doxygen.reactos.org/d8/d6b/ndk_2mmfuncs_8h_af942709e0c57981d84586e74621912cd.html
  DWORD addr = hp.address;
-  NtProtectVirtualMemory(NtCurrentProcess(), (PVOID *)&addr, &t, PAGE_EXECUTE_READWRITE, &old);
-  NtWriteVirtualMemory(NtCurrentProcess(), (BYTE *)hp.address, inst, 5, &t);
+  NtProtectVirtualMemory(GetCurrentProcess(), (PVOID *)&addr, &t, PAGE_EXECUTE_READWRITE, &old);
+  NtWriteVirtualMemory(GetCurrentProcess(), (BYTE *)hp.address, inst, 5, &t);
  len = hp.recover_len - 5;
  if (len)
-    NtWriteVirtualMemory(NtCurrentProcess(), (BYTE *)hp.address + 5, int3, len, &t);
-  NtFlushInstructionCache(NtCurrentProcess(), (LPVOID)hp.address, hp.recover_len);
-  NtFlushInstructionCache(NtCurrentProcess(), (LPVOID)::hookman, 0x1000);
+    NtWriteVirtualMemory(GetCurrentProcess(), (BYTE *)hp.address + 5, int3, len, &t);
+  NtFlushInstructionCache(GetCurrentProcess(), (LPVOID)hp.address, hp.recover_len);
+  NtFlushInstructionCache(GetCurrentProcess(), (LPVOID)::hookman, 0x1000);
  //ConsoleOutput("vnrcli:UnsafeInsertHookCode: leave: succeed");
  return 0;
 }
@ -719,8 +719,8 @@ int TextHook::RemoveHook()
  //with_seh({ // jichi 9/17/2013: might crash ><
  // jichi 12/25/2013: Actually, __try cannot catch such kind of exception
  ITH_TRY {
-    NtWriteVirtualMemory(NtCurrentProcess(), (LPVOID)hp.address, original, hp.recover_len, &l);
-    NtFlushInstructionCache(NtCurrentProcess(), (LPVOID)hp.address, hp.recover_len);
+    NtWriteVirtualMemory(GetCurrentProcess(), (LPVOID)hp.address, original, hp.recover_len, &l);
+    NtFlushInstructionCache(GetCurrentProcess(), (LPVOID)hp.address, hp.recover_len);
  } ITH_EXCEPT {}
  //});
  hp.hook_len = 0;
@ -839,9 +839,9 @@ EXCEPTION_DISPOSITION ExceptHandler(EXCEPTION_RECORD *ExceptionRecord,
  //swprintf(str, L"Exception code: 0x%.8X", ExceptionRecord->ExceptionCode);
  //ConsoleOutput(str);
  //MEMORY_BASIC_INFORMATION info;
-  //if (NT_SUCCESS(NtQueryVirtualMemory(NtCurrentProcess(),(PVOID)ContextRecord->Eip,
+  //if (NT_SUCCESS(NtQueryVirtualMemory(GetCurrentProcess(),(PVOID)ContextRecord->Eip,
  //    MemoryBasicInformation,&info,sizeof(info),0)) &&
-  //    NT_SUCCESS(NtQueryVirtualMemory(NtCurrentProcess(),(PVOID)ContextRecord->Eip,
+  //    NT_SUCCESS(NtQueryVirtualMemory(GetCurrentProcess(),(PVOID)ContextRecord->Eip,
  //    MemorySectionName,name,0x200,0))) {
  //  swprintf(str, L"Exception offset: 0x%.8X:%s",
  //      ContextRecord->Eip-(DWORD)info.AllocationBase,
@ -866,9 +866,9 @@ EXCEPTION_DISPOSITION ExceptHandler(EXCEPTION_RECORD *ExceptionRecord,
  //swprintf(str, L"Exception code: 0x%.8X", ExceptionRecord->ExceptionCode);
  //ConsoleOutput(str);
  //MEMORY_BASIC_INFORMATION info;
-  //if (NT_SUCCESS(NtQueryVirtualMemory(NtCurrentProcess(),(PVOID)ContextRecord->Eip,
+  //if (NT_SUCCESS(NtQueryVirtualMemory(GetCurrentProcess(),(PVOID)ContextRecord->Eip,
  //    MemoryBasicInformation,&info,sizeof(info),0)) &&
-  //    NT_SUCCESS(NtQueryVirtualMemory(NtCurrentProcess(),(PVOID)ContextRecord->Eip,
+  //    NT_SUCCESS(NtQueryVirtualMemory(GetCurrentProcess(),(PVOID)ContextRecord->Eip,
  //    MemorySectionName,name,0x200,0))) {
  //  swprintf(str, L"Exception offset: 0x%.8X:%s",
  //      ContextRecord->Eip-(DWORD)info.AllocationBase,
--- a/vnr/vnrhook/src/main.cc
+++ b/vnr/vnrhook/src/main.cc
@ -68,6 +68,7 @@ HANDLE
    hFile,
    hMutex,
    hmMutex;
+HMODULE currentModule;
 //DWORD current_process_id;
 extern DWORD enter_count;
 //extern LPWSTR current_dir;
@ -157,27 +158,26 @@ BOOL WINAPI DllMain(HINSTANCE hModule, DWORD fdwReason, LPVOID unused)

 	  IthInitSystemService();

-      swprintf(hm_section, ITH_SECTION_ L"%d", current_process_id);
+      swprintf(hm_section, ITH_SECTION_ L"%d", GetCurrentProcessId());

      // jichi 9/25/2013: Interprocedural communication with vnrsrv.
 	  hSection = CreateFileMappingW(INVALID_HANDLE_VALUE, nullptr, PAGE_EXECUTE_READWRITE, 0, HOOK_SECTION_SIZE, hm_section);
      ::hookman = (TextHook*)MapViewOfFile(hSection, FILE_MAP_ALL_ACCESS, 0, 0, HOOK_SECTION_SIZE / 2);

 	  GetProcessName(::processName);
-	  FillRange(::processName, &::processStartAddress, &::processStopAddress);
-      //NtInspect::getProcessMemoryRange(&::processStartAddress, &::processStopAddress);
+	  ::processStartAddress = (DWORD)GetModuleHandleW(nullptr);

      {
        wchar_t hm_mutex[0x100];
-        swprintf(hm_mutex, ITH_HOOKMAN_MUTEX_ L"%d", current_process_id);
-        ::hmMutex = IthCreateMutex(hm_mutex, FALSE);
+        swprintf(hm_mutex, ITH_HOOKMAN_MUTEX_ L"%d", GetCurrentProcessId());
+		::hmMutex = CreateMutexW(nullptr, FALSE, hm_mutex);
      }
      {
        wchar_t dll_mutex[0x100];
-        swprintf(dll_mutex, ITH_PROCESS_MUTEX_ L"%d", current_process_id);
+        swprintf(dll_mutex, ITH_PROCESS_MUTEX_ L"%d", GetCurrentProcessId());
        DWORD exists;
-        ::hMutex = IthCreateMutex(dll_mutex, TRUE, &exists); // jichi 9/18/2013: own is true, make sure the injected dll is singleton
-        if (exists)
+		::hMutex = CreateMutexW(nullptr, TRUE, dll_mutex); // jichi 9/18/2013: own is true, make sure the injected dll is singleton
+        if (GetLastError() == ERROR_ALREADY_EXISTS)
          return FALSE;
      }

@ -186,8 +186,9 @@ BOOL WINAPI DllMain(HINSTANCE hModule, DWORD fdwReason, LPVOID unused)
      ::tree = new AVLTree<char, FunctionInfo, SCMP, SCPY, SLEN>;
      AddAllModules();
      InitFilterTable();
+	  ::currentModule = hModule;

-      pipeThread = IthCreateThread(PipeManager, 0);
+      pipeThread = CreateRemoteThread(GetCurrentProcess(), nullptr, 0, PipeManager, 0, 0, nullptr);
    } break;
  case DLL_PROCESS_DETACH:
    {
@ -211,7 +212,7 @@ BOOL WINAPI DllMain(HINSTANCE hModule, DWORD fdwReason, LPVOID unused)
      for (TextHook *man = ::hookman; man->RemoveHook(); man++);
      //LARGE_INTEGER lint = {-10000, -1};
      while (::enter_count)
-        IthSleep(1); // jichi 9/28/2013: sleep for 1 ms
+        Sleep(1); // jichi 9/28/2013: sleep for 1 ms
        //NtDelayExecution(0, &lint);
      for (TextHook *man = ::hookman; man < ::hookman + MAX_HOOK; man++)
        man->ClearHook();
--- a/vnr/vnrhook/src/pipe.cc
+++ b/vnr/vnrhook/src/pipe.cc
@ -17,6 +17,7 @@
 #include <cstdio> // for swprintf

 HANDLE hookPipe;
+extern HMODULE currentModule;

 DWORD WINAPI PipeManager(LPVOID unused)
 {
@ -41,7 +42,8 @@ DWORD WINAPI PipeManager(LPVOID unused)
 			}
 		}

-		WriteFile(::hookPipe, &::current_process_id, sizeof(::current_process_id), nullptr, nullptr);
+		*(DWORD*)buffer = GetCurrentProcessId();
+		WriteFile(::hookPipe, buffer, sizeof(DWORD), nullptr, nullptr);

 		for (int i = 0, count = 0; count < ::currentHook; i++)
 		{
@ -112,7 +114,7 @@ DWORD WINAPI PipeManager(LPVOID unused)
 		CloseHandle(::hookPipe);
 		CloseHandle(hostPipe);
 	}
-	Util::unloadCurrentModule();
+	FreeLibraryAndExitThread(::currentModule, 0);
 	return 0;
 }

--- a/vnr/vnrhook/src/util/util.cc
+++ b/vnr/vnrhook/src/util/util.cc
@ -302,26 +302,4 @@ termin:
  }
 }

-EXTERN_C IMAGE_DOS_HEADER __ImageBase;
-// See: http://stackoverflow.com/questions/3410130/dll-unloading-itself
-// TODO: This doesn't always work. Fix it.
-bool Util::unloadCurrentModule()
-{
-  auto fun = ::FreeLibrary;
-  //auto fun = ::LdrUnloadDll;
-  if (HANDLE h = ::IthCreateThread(fun, (DWORD)&__ImageBase)) {
-    //const LONGLONG timeout = -50000000; // in nanoseconds = 5 seconds
-    //NtWaitForSingleObject(h, 0, (PLARGE_INTEGER)&timeout);
-    CloseHandle(h);
-    return true;
-  }
-
-  // CreateThread does not always work on Windows XP. Use IthCreateThread (i.e. CreateRemoteThread under the water) instead.
-  //if (HANDLE h = ::CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)fun, &__ImageBase, 0, NULL)) {
-  //  ::CloseHandle(h);
-  //  return true;
-  //}
-  return false;
-}
-
 // EOF